REMARKS 

The present Amendment amends claims 8, 9 and 13, leaves claims 1 1 
and 12 unchanged and cancels claim 10. Therefore, the present application 
has pending claims 8, 9 and 11-13. 

Applicants respectfully request the Examiner to contact Applicants' 
Attorney, the undersigned, by telephone so as to discuss the outstanding 
issues of the present application prior to examination. 

Claims 8-1 1 and 13 stand rejected under 35 USC §1 03(a) as being 
unpatentable over Wiegel (U.S. Patent No. 6,484,261) and further in view of 
Grimm (U.S. Patent No. 6,317,868); and claim 12 stands rejected under 35 
USC §1 03(a) as being unpatentable over Wiegel, Grimm and further in Cert 
(the article entitled "CERT'S CC Vendor-Initiated Bulletins 1994-1998"). As 
indicated above, claim 10 was canceled. Therefore, the above rejection of 
claim 10 is rendered moot. Accordingly, reconsideration and withdrawal of 
this rejection of claim 10 is respectfully requested. The above rejections with 
respect to the remaining claims 8, 9 and 1 1-13 is traversed for the following 
reasons. Applicants submit that the features of the present invention as now 
more clearly recited in claims 8, 9 and 11-13 are not taught or suggested by 
Wiegel, Grimm or Cert whether taken individually or in combination with each 
other as suggested by the Examiner. Therefore, Applicants respectfully 
request the Examiner to reconsider and withdraw these rejections. 

Amendments were made to the claims so as to more clearly describe 
features of the present invention. Particularly, amendments were made to the 
claims to more clearly recite that the present invention is directed to a security 
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management method and system for supporting security management of 
managed systems executed in an information system including a plurality of 
computers connected through a network. According to the present invention, 
a plurality of security control names and names for obtaining the 
status/changing configuration of the security control means, information 
security policy management and inspection supporting device are provided so 
as to aid in the simplified control and management of security conditions of an 
information system while conforming to security policy. According to the 
present invention, the security management method and system inspects 
whether the managed system is constructed and operated in conformity to the 
policy established in the design phase of such information system and is able 
to make changes in configurations of the managed systems when there is a 
problem by feeding back such information identifying such problems to the 
security management method and system. 

Specifically, the present invention as now more clearly recited in the 
claims provides a security management system and method implemented by 
the system for supporting security management of a plurality of managed 
system executed in an information system including a plurality of computers 
connected to each other through a network. 

According to the present invention, the method includes a system 
design step for designing security specifications to be applied to the 
information system by extracting an information security policy which 
corresponds to each managed system constituting an information system 
designated by a user from a database where a correspondence between 
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information security policies representing policies of security measures with at 
least one managed system and the managed system is described, a security 
install step for executing a plurality of audit programs wherein a process is 
described audit security status concerning the information security policy 
which is specified by security specification designed in the security design 
step for collecting the security status of each managed system designated by 
the user, and for managing the security status of the managed systems 
designated by the user, based on the collected information, in consistency of 
information security policy specified by security specification designed in the 
security design step and a security management step for executing the 
installed periodically. 

It should be noted that the amendments made to the claims are 
intended to more clearly describe features of the present invention regarding 
the process conducted during the management phrase as discussed, for 
example, in the present application beginning on page 44, line 4 through page 
45, line 6. 

The above described features of the present invention now more 
clearly recited in the claims are not taught or suggested by Wiegel, Grimm or 
Cert whether taken individually or in combination with each other as 
suggested by the Examiner. 

Wiegel teaches a graphical network security policy management 
method and system which supports the establishment of a security policy in 
the form of a decision tree that is constructed by assembling graphical 
symbols representing policy actions and policy conditions. As taught by 
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Wiegel, a user modifies properties of the graphical symbols to create a logical 
representation of the policy while the logical representation is transformed into 
a textual script that represents the policy and the script is displayed as the 
user works with the logical representation. The script is then translated into 
machine instructions that govern the operation of a network gateway or 
firewall. However, at no point is there any teaching or suggestion in Wiegel of 
providing security control means and means for obtaining status of security of 
different managed systems and to change configuration of the managed 
systems for controlling a security both during the design phase and during the 
operation phase as in the present invention. The system taught by Wiegel 
could support the establishment of security policies. 

The system taught by Wiegel is not intended to inspect whether the 
system operates in conformity to the security policy established during the 
design as in the present invention such as, for example, during operation of 
the system as in the present invention. 

Further, the system taught by Wiegel does not teach or suggest the 
features of the present invention as now more clearly recited in the claims 
regarding the details of the management phase. According to the present 
invention as now more clearly recited in the claims during the management 
step the install step is executed periodically. Such features are clearly not 
taught or suggested by Wiegel. 

Thus, Wiegel fails to teach or suggest a security design step for 
designing security specification to be applied to the information system by 
extracting an information security policy which corresponds to each managed 

12 



system constituting an information system designated by a user from a 
database where a correspondence between information security policies 
representing policies of security measures with at least one managed system 
and the managed system is described as recited in the claims. 

Further, Wiegel fails to teach or suggest a security install step for 
executing a plurality of audit programs wherein a process is described to audit 
security status concerning the information security policy which is specified by 
security specifications designed in the security design step, for collecting the 
security status of each managed system designed by the user, and for 
changing the security status of the managed systems designated by the user, 
based on the collected information in consistency of information security 
policies specified by the securities specification designed in the security 
design step as recited in the claims. 

Still further, Wiegel fails to teach or suggest a security management 
step for executing the install step periodically as recited in the claims. 

The above noted deficiencies of Wiegel are also evident in Grimm. 
Therefore, combining the teachings of Wiegel and Grimm in the manner 
suggested by the Examiner in the Office Action still fails to teach or suggest 
the features of the present invention as now more clearly recited in the claims. 

Grimm teaches a process for transparently enforcing protection 
domains and access control as well auditing operations and software 
components. Grimm specifically teaches an introspection service for 
analyzing software component and an interposition service for correcting the 
software components as its constituents elements. Grimm the same as 
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Wiegel fails to teach or suggest the above described features of the present 
invention regarding the providing of security control means and means for 
obtaining the status and changing the configuration of the security control 
means in the appropriate manner relative to the security specifications. At no 
point is there any teaching or suggestion in Grimm of the above described 
features of the present invention regarding the security design step, the 
security install step and the security management step as recited in the 
claims. 

Thus, as is quite clear from the above both Wiegel and Grimm fail to 
teach or suggest the features of the present invention as now more clearly 
recited in the claims. Therefore, combining the teachings of Wiegel and 
Grimm in the manner suggested by the Examiner in the Office Action does not 
render obvious the features of the present invention as now more clearly 
recited in the claims. Accordingly, reconsideration and withdrawal of the 35 
USC §103(a) rejection of claims 8-11 and 13 as being unpatentable over 
Wiegel in view of Grimm is respectfully requested. 

The above noted deficiencies of Wiegel and Grimm are also not 
supplied by Cert. Cert is merely relied upon by the Examiner for an alleged 
teaching of security information published by a security information 
organization including Cert. Thus, at no point is there any teaching or 
suggestion in Cert of the above described features of the present invention 
regarding the security specification design step, the security install step and 
the security management step as recited in the claims. 
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Thus, Cert suffers from the same deficiencies relative to the features of 
the present invention as recited in the claims as Wiegel and Grimm. 
Therefore, combining the teachings of Wiegel, Grimm and Cert in the manner 
suggested by the Examiner in the Office Action does not render obvious the 
features of the present invention as now more clearly recited in the claims. 
Accordingly, reconsideration and withdrawal of the 35 USC §1 03(a) rejection 
of claim 12 as being unpatentable over Wiegel, Grimm and Cert is respectfully 
requested. 

The remaining references of record have been studied. Applicants 
submit that they do not supply any of the deficiencies noted above with 
respect to the references utilized in the rejection of claims 8, 9 and 11-13. 

In view of the foregoing amendments and remarks, applicants submit 
that claims 8, 9 and 11-13 are in condition for allowance. Accordingly, early 
allowance of claims 8, 9 and 11-13 is respectfully requested. 



15 



To the extent necessary, the applicants petition for an extension of time 
under 37 CFR 1.136. Please charge any shortage in fees due in connection 
with the filing of this paper, including extension of time fees, or credit any 
overpayment of fees, to the deposit account of MATTINGLY, STANGER, 
MALUR & BRUNDIDGE, P.C., Deposit Account No. 50-1417 
(566.39530VX1). 



Respectfully submitted, 



MATTINGLY, STANGER, MALUR & BRUNDIDGE, P.C. 




Carl I. Brupraidge 
Registration No. 29,621 
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